Thanks for the suggestions. According to the chkconfig man page --del is OK. I prefer to delete the service rather than just turn it off. I have already tried the off option and again these services are not turned off during post installation even on levels 3,4,5, but they are if the script is run after a reboot. Next time I do an install I will try including off with the level option. These are compute nodes running behind a firewall with a small number of users. So I don't think the rsh security is an issue. Tony Ladd ----------------------------------------------------- Anthony JC Ladd Professor: Chemical Engineering University of Florida PO Box 116005 Gainesville, Florida, 32611-6005 Tel: (352)-392-6509 Fax: (352)-392-9513 Email: ladd@xxxxxxxxxxx URL: http://ladd.che.ufl.edu -----Original Message----- From: kickstart-list-admin@xxxxxxxxxx [mailto:kickstart-list-admin@xxxxxxxxxx] On Behalf Of Philip Rowlands Sent: Thursday, January 29, 2004 3:50 AM To: kickstart-list@xxxxxxxxxx Subject: Re: Post installation problem with chkconfig On Wed, 28 Jan 2004, Tony Ladd wrote: >My kickstart file executes the following script (among others) after >installation > >#!/bin/bash ># Set SysV init scripts > >off="anacron apmd atd autofs gpm iptables irda isdn kdcrotate kudzu >nscd nfs pcmcia rhnsd saslauthd sendmail sshd" on="ypbind rexec rlogin >rsh time time-udp" > >for name in ${off}; do >/sbin/chkconfig --del $name >done > >for name in ${on}; do >/sbin/chkconfig --add $name >/sbin/chkconfig $name on >done Bzzzzz - incorrect use of --del. Disable the service, but don't remove it entirely from chkconfig's control. This is my equivalent: #!/bin/sh - # Turn all all unwanted services BADSERV="arpwatch httpd ipchains iptables kdcrotate kudzu named \ nfs rwhod sendmail snmpd ypbind xfs apmd gpm pcmcia \ linuxconf lpd identd rawdevices autofs rhnsd portmap \ nfslock netfs xinetd atd" for s in $BADSERV; do test -e "/etc/rc.d/init.d/$s" && \ /sbin/chkconfig --level 0123456 "$s" off done Perhaps you need the --level arg? Also, are you sure you need the r* services? These have a long and rich history of insecurity... Remember if you prevent kudzu from running you'll miss the first-boot "updfstab". Without sendmail running full-time, you might want to drop something to flush the queue in /etc/cron.hourly. Cheers, Phil _______________________________________________ Kickstart-list mailing list Kickstart-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/kickstart-list
